The Office of Management and Budget is giving agencies the playbook to move to a dynamic, proactive cybersecurity environment after more than a decade of reacting to threats and vulnerabilities.
More than a year after making continuous diagnostics and mitigation (CDM) the new standard by which agencies should secure their systems, OMB issued a memo late Monday outlining specific deadlines they must meet to implement what many believe is a better approach to cybersecurity.
The Homeland Security Department, which is leading the operations effort, issued a new policy calling for agencies to move to CDM in June 2012. Since then, DHS and OMB have been putting the pieces in place for agencies to move to dynamic cybersecurity on a full-time basis.
“The requirement to manage information security risk on a continuous basis includes the requirement to monitor the security controls in federal information systems and the environments in which those systems operate on an ongoing basis- one of six steps in the National Institute of Standards and Technology (NIST) Risk Management Framework,” wrote Sylvia Burwell, OMB director, in the memo to agency heads. “This allows agencies to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
Burwell said agencies will undertake a phased approach to fully implement, what now OMB is calling information security continuous monitoring (ISCM), instead of continuous diagnostics and mitigation, by 2017. Many expected OMB to issue this memo earlier in the fall, but Burwell pulled the memo back in late September to clarify which systems will be continuously monitored.
In the memo, agencies are required to develop a ISCM strategy by Feb. 28, addressing “all security controls selected and implemented by agencies, including the frequency of and degree of rigor associated with the monitoring process.”
An OMB official, speaking on background in order to be more candid about the policy, said agencies should use the strategy to figure out the level of their maturity across programmatic, technical and management controls.
The official said strategy also will help agencies determine which one of three approaches they will take to implement ISCM:
Rely solely on internal capabilities
Rely solely on DHS
Partner with DHS
“The approach goes back to where each agency is technically and whether they possess the capabilities with regards to cyber,” the official said. “As we thought about this, DHS provides services centrally and through standards across the government. It would be more cost efficient and helpful to agencies who may not have tools in house. Part of what agencies will realize as they complete the foundational survey is whether they will need to or how much they will need to work with DHS.”
One cyber expert called the memo too process- and compliance-centric.
Robert Lentz, a former DoD official and now president of Cybersecurity Strategies, said in an email, “I strongly believe this focuses on the wrong priority. While this complicated mandate will force considerable resources to focus on ‘hygiene’ issues the real problem is advanced persistent threats/Zero day vulnerabilities that will cause much more serious problems. Finally, the only way to address this hygiene/traditional approach is to achieve ‘enterprise’ procurement across the government to drive down costs.”
DHS is trying to address the enterprise procurement issue. In August, as part the build up to ISCM, DHS awarded 17 vendors a spot on a $6 billion blanket-purchase agreement to provide CDM tools and services.
The request for quote, obtained by Federal News Radio, shows DHS wants tools for 33 agencies that support hardware asset management, software asset management, configuration management and vulnerability management.
The RFQ also stated the hardware- and software asset management needs to support functions such as knowledge fusion, application whitelisting, database scanning, Web application scanning and code review.
GSA and DHS say the tools and sensor will:
Simplify the security authorization process by helping to automate both security assessments and authorization processes.
Continuously monitor and report system security status to agencies information security personnel.
Provide specific details to help prioritize remediation efforts.
Allow system owners, risk managers, authorizing officials, and other stakeholders to make better risk-management decisions.
Report the security posture of monitored systems to the CyberScope application, thereby reducing the requirement for manual inputs.
DHS and GSA asked specifically for tens of thousands to hundreds of thousands of tools from seven vendors, including IBM, McAfee, Symantec, BDNA, Application Security Inc., Tenable and Hewlett-Packard.
“There are approximately 33 departments and agencies (and additional components within each department and agency) that the products obtained through this order will support,” the RFQ stated. “Staggered product delivery shall be within 60 to 90 days from the date of award.”
DHS and GSA say they will provide a delivery schedule within 30 days after they awards the task orders.
Sources say they expect DHS and GSA to issue future task orders for services to implement these tools.
OMB’s memo stated agencies must begin to procure these products by Feb. 28 as part of Phase 1 of the ISCM initiative.
As part of Phase 1, OMB published a government-only concept of operations for ISCM to its MAX website.
The OMB official said a working group that includes executives from OMB, DHS, the CIO Council’s Information System and Identity Management Committee, the Committee National Security Systems, NIST and others developed the document over the last year.
The official said the CONOPS will be a living document that is updated at least once a year, if not more often.
“We are working through how to sequence the other phases of this effort,” the official said. “That’s why we made it an iterative process.”
Then by May 30, departments must begin to deploy these products, and must ensure all systems have an up-to-date authority to operate before installing these tools and sensors.
In the memo, OMB mandates the use of the BPA to buy products and services unless the agency’s deputy secretary justifies to why not in a letter to Beth Cobert, the deputy director for management.
The OMB official said the goal is to make sure agencies are buying the products and services in a standard way.
“If they don’t want to use the BPA, we want them to think about the total cost of ownership and if not using the BPA will cost them more,” the official said.
In the meantime, by April 30, agencies will have to identify any resource or skill gaps to manage the information systems continuous monitoring process and name specific individuals to manage the program.
DHS also will develop and maintain a governmentwide dashboard of security data to identify the highest priority concerns. Each agency also will have an internal dashboard that will send information to DHS to populate the governmentwide version.
New special publication coming
The official said the dashboard will be in the same vein as the IT Dashboard, giving OMB, DHS and others a snapshot of the cyber issues most effecting agencies.
“The federal dashboard, maintained by DHS, shall provide information on specific vulnerabilities identified that could lead to adverse impacts to missions/business functions,” the OMB memo stated. “It will also supply data on agency performance for use by oversight entities to help identify the level of risk reduction which is both possible and beneficial for agencies (depending on their risk-based needs). Data gathered from the federal dashboard will be used by DHS to develop guidance for agencies with the intent of improving decision making regarding risk/cost tradeoffs.”
The memo doesn’t specify the exact time frame the dashboard will be in place
Another key piece is new NIST guidance on how to conduct ongoing assessments and authorizations (A&A), which replaces certifications and accreditations (C&A).
NIST expects to release the new standard by March 31. Agencies then will have until June 30 to update their ISCM strategies to perform A&As.
“A well-designed and well-managed ISCM program can effectively transform an otherwise static security control assessment and authorization process into a dynamic process that provides essential, near real-time security-related information to agencies,” the memo stated. “Senior leaders can use this information to take appropriate risk response actions and make cost-effective, risk-based decisions regarding the operation of their information systems. Once established, a robust ISCM program will allow agencies to track the security state of their information systems on an ongoing basis and maintain the security authorizations for those systems over time.”